Sign, verify, and HMAC operations
KMS supports asymmetric signing and verification for RSA, ECDSA, and Ed25519 keys, and HMAC generation and verification for HMAC key types.
Sign and verify
Supported key types
| Key type | Sign | Verify |
|---|---|---|
rsa-2048, rsa-3072, rsa-4096 | ✓ | ✓ |
ecdsa-p256, ecdsa-p384, ecdsa-p521 | ✓ | ✓ |
ed25519 | ✓ | ✓ |
API operations
| Operation | Endpoint |
|---|---|
| Sign | POST /v1/kms/{region}/keys/{id}/sign |
| Verify | POST /v1/kms/{region}/keys/{id}/verify |
Sign
Submit the data to sign as base64-encoded input. The response includes the signature and the key version used.
INPUT=$(echo -n "document content" | base64)
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "X-Organisation-Identity: $ORG_ID" \
-H "Content-Type: application/json" \
-d "{\"input\": \"$INPUT\"}" \
https://api.thalassa.cloud/v1/kms/nl-01/keys/my-signing-key/signVerify
Submit the original input and signature. The response indicates whether the signature is valid.
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "X-Organisation-Identity: $ORG_ID" \
-H "Content-Type: application/json" \
-d '{
"input": "'"$INPUT"'",
"signature": "'"$SIGNATURE"'"
}' \
https://api.thalassa.cloud/v1/kms/nl-01/keys/my-signing-key/verifyUse cases
- DNS DNSSEC — Zone signing uses a regional asymmetric KMS key as the Key Signing Key (KSK). See Integrations and DNSSEC.
- Code and artifact signing — Sign release artifacts, configuration bundles, or attestations
- Document signing — Verify signed documents using exported public keys for offline validation
New sign operations use the latest key version by default. Signatures embed version information so verification works across rotations.
HMAC
Supported key types
| Key type | HMAC | Verify HMAC |
|---|---|---|
hmac | ✓ | ✓ |
hmac-sha256 | ✓ | ✓ |
hmac-sha512 | ✓ | ✓ |
HMAC keys cannot be imported via BYOK.
API operations
| Operation | Endpoint |
|---|---|
| HMAC | POST /v1/kms/{region}/keys/{id}/hmac |
| Verify HMAC | POST /v1/kms/{region}/keys/{id}/verify-hmac |
Generate HMAC
INPUT=$(echo -n "webhook-payload" | base64)
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "X-Organisation-Identity: $ORG_ID" \
-H "Content-Type: application/json" \
-d "{\"input\": \"$INPUT\"}" \
https://api.thalassa.cloud/v1/kms/nl-01/keys/api-hmac/hmacVerify HMAC
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "X-Organisation-Identity: $ORG_ID" \
-H "Content-Type: application/json" \
-d '{
"input": "'"$INPUT"'",
"hmac": "'"$HMAC"'"
}' \
https://api.thalassa.cloud/v1/kms/nl-01/keys/api-hmac/verify-hmacUse cases
- Webhook payload authentication
- API request integrity checks
- Token or session validation where symmetric message authentication is appropriate
Public key export for offline verification
For RSA and ECDSA keys, export public keys in PEM format. For Ed25519, public keys are returned as base64-encoded raw key material.
GET /v1/kms/{region}/keys/{id}/public-keyUse exported public keys to verify signatures without calling the verify API, or for client-side RSA encryption workflows. See Export and public keys.
Regional requirement
All sign, verify, HMAC, and verify-HMAC calls must target the key’s region. Cross-region use is not supported.
Errors
| HTTP status | Typical cause |
|---|---|
400 | Key disabled or pending deletion; operation not supported for key type |
404 | Key not found or insufficient IAM access |
Audit events
| Operation | Audit action |
|---|---|
| Sign | kms.sign |
| Verify | kms.verify |
| HMAC | kms.hmac |
| Verify HMAC | kms.verify_hmac |
See Audit log for what is and is not recorded.